News and Insights by FGND Core

DeepSeek AI

German Data Protection Authority reports DeepSeek to Apple and Google in Germany as unlawful content

The Berlin Commissioner for Data Protection and Freedom of Information has reported the AI application DeepSeek to Google and Apple in Germany as potentially unlawful content. The platform operators are now obliged to promptly review the report and decide whether to block the app. The measure was prompted by a data protection violation involving the unlawful transfer of users’ personal data to China.

Aug, 2025

EDPB Data Requests

European Data Protection Board clarifies rules on data requests from third countries

On June 5, 2025, the European Data Protection Board (EDPB) published the final guidelines on Article 48 of the GDPR. They clarify under which conditions personal data may be transferred to authorities outside the EU. The central message: Judgments or orders from third-country authorities are not automatically enforceable within the EU. Data transfers may take place if there is an international agreement – or, in exceptional cases, if other legal grounds can be relied upon. These exceptions must always be assessed on a case-by-case basis and interpreted restrictively.

Jul, 2025

EDPD Age Verification

EDPB publishes principles for GDPR-compliant age verification

On 11 February 2025, the European Data Protection Board (EDPB) published ten key principles for designing age verification (also referred to as “age assurance”) in compliance with the GDPR. The aim is to better protect children in digital environments – without compromising their fundamental rights.Age verification should always be risk-based and proportionate: the more sensitive the content or service, the stricter the requirements may be. At the same time, the EDPB emphasizes the principle of data minimization – only data that is strictly necessary should be processed. Often, a simple “18+” confirmation is sufficient, without requiring disclosure of the full date of birth.

Update Jun, 2025

Fines AI Chatbot

Data protection violation by AI chatbot "Replika": Italian supervisory authority imposes €5 million fine

The Italian Data Protection Authority has imposed a fine of €5 million on the U.S.-based company Luka Inc., operator of the AI-powered chatbot Replika, due to serious violations of key GDPR data protection principles. Replika is marketed as a virtual conversation partner and specifically targets sensitive and sometimes vulnerable user groups. The AI processes personal data such as communication content and users’ emotional self-disclosures to continuously improve its performance. During the investigation, the authority identified several infringements, including the lack of effective protection for minors: despite being clearly aimed at a younger audience, minors could use the service without restriction. There was no functioning age verification system in place (Articles 8, 25 GDPR). Additionally, the data processing for model development was carried out without a sufficient legal basis (Article 5(1)(a), Article 6 GDPR), and the privacy policy was found to be inadequate – missing essential information such as data retention periods, details of data transfers, or the use of automated decision-making (Articles 12, 13 GDPR).

May, 2025

TikTok Fines

DPC: Major Fine Issued Against TikTok

On May 2, 2025, the Irish Data Protection Commission (DPC) imposed a fine of €530 million on TikTok Technology Limited. The penalty followed an investigation which concluded that TikTok fails to ensure that the personal data of users from EU countries is protected to a level equivalent to the standards required under the GDPR.

May, 2025

Microsoft Data Boundary

Microsoft Completes EU Data Boundary – With Exceptions

In March 2025, Microsoft announced the completion of its EU Data Boundary project. Customer data from services such as Azure, Microsoft 365, and Dynamics 365 will now be stored and processed exclusively within the EU. However, there are exceptions: certain security-related data, diagnostics, and analytics may still be processed outside the EU.

Apr, 2025

News & Insights